5.3.5 and Pro 2.2.9 released, including a security update

Posted on January 22, 2013

At the end of last week we released 5.3.4 shortly followed by 5.3.5. We have just released Pro 2.2.9 today. Among various bugfixes and minor improvements, these updates include a security vulnerability fix, meaning everyone should upgrade immediately from any previous versions.

Medium-risk XSS vulnerability fixed

We would like to thank High-Tech Bridge Security for spotting and taking the time to notify us about this potential vunlerability in the plugin, which was immediately fixed within 24 hours once we found out. We will not go into details about the fix for security reasons, but this information will be made public on their site in early March, which we hope is enough warning for everyone to update their plugin to close this vulnerability.

A drawback of Open Source software is that it is easier for vulnerabilities to be uncovered since it is out in the public domain and can be scrutinized by anyone who wishes to do so. However, rest assured that when we come across any vulnerabilities they will be fixed immediately.

Pro users should update to 2.2.9 or…

In the event that you don’t want to update yet and/or don’t have access to updates we have produced a small plugin/script which you can download here. This script will fix the security vulnerability and you can safely continue using a previous version. You can install this by unzipping the file (there is one php file included) and either:

upload this file to your wp-content/mu-plugins folder (create it if it doesn’t exist)

add the contents to the bottom of your events-manager-pro.php file

add the contents to the bottom of your theme’s functions.php file

EM 5.3.5 Changelog

Since we quickly released version 5.3.5 which patched a bug in 5.3.4 we’ll include a change summary of the two (first item in the list applies to 5.3.5)

fixed bug in placeholder formatting

fixed Multilingual settings not saving default language setting if other than english

fixed typo in performance optimization settings

fixed warning of undefined ID on archive pages when enqueuing scripts

fixed special characters being converted to entities in non-html emails

fixed typo in options for category/location event list placeholders

corrected Slovak translation, thanks to Julius Pastierik

added British translation, thanks to Jeff Cole

added some code to booking form js to prevent JS conflicts with JetPack’s reCaptcha